Igor’s tip of the week #08: Batch mode under the hood

Malware Analysis
1

We’ve briefly covered batch mode last time but the basic functionality is not always enough so let’s discuss how to customize it.

Basic usage

To recap, the batch mode can be invoked with this command line:

ida -B -Lida.log <other switches> <filename>

IDA will load the file, wait for the end of analysis, and write the full disassembly to <filename>.asm

How it works

In fact, -B is a shorthand for -A -Sanalysis.idc:

  • -A: enable autonomous mode (answer all queries with the default choice).
  • -Sanalysis.idc: run the script analysis.idc after loading the file.

You can find analysis.idc in the idc subdirectory of IDA install. In IDA 7.5 it looks as follows:

static main()
{
	// turn on coagulation of data in the final pass of analysis
	set_inf_attr(INF_AF, get_inf_attr(INF_AF) | AF_DODATA | AF_FINAL);
	// .. and plan the entire address space for the final pass
	auto_mark_range(0, BADADDR, AU_FINAL);
	msg("Waiting for the end of the auto analysis...\n");
	auto_wait();
	msg("\n\n------ Creating the output file.... --------\n");
	auto file = get_idb_path()[0:-4] + ".asm";
	auto fhandle = fopen(file, "w");
	gen_file(OFILE_ASM, fhandle, 0, BADADDR, 0); // create the assembler
	file
	msg("All done, exiting...\n");
	qexit(0); // exit to OS, error code 0 - success
}

Thus, to modify the behavior of the batch mode you can:

  • Either modify the standard analysis.idc
  • Or specify a different script using -S<myscript.idc>

For example, to output an LST file (it includes address prefixes), change the gen_file call:

gen_file(OFILE_LST, fhandle, 0, BADADDR, 0);

Batch decompilation

If you have the decompiler for the target file’s architecture, you can also run it in batch mode.

For example, to decompile the whole file:

ida -Ohexrays:outfile.c:ALL -A <filename>

To decompile only the function main:

ida -Ohexrays:outfile.c:main -A <filename>

This uses the functionality built-in into the decompiler plugin which works similarly to the analysis.idc script (wait for the end of autoanalysis, then decompile the specified functions to outfile.c).

Customizing batch decompilation

If the default functionality is not enough, you could write a plugin to drive the decompiler via its C++ API. However, for scripting it’s probably more convenient to use Python. Similarly to IDC, Python scripts can be used with the -S switch to be run automatically after the file is loaded.

A sample script is attached to this post. Use it as follows:

ida -A -Sdecompile_entry_points.py -Llogfile.txt<filename>

Speeding up batch processing

In the examples so far we’ve been using the ida executable which is the full GUI version of IDA. Even though the UI is not actually displayed in batch mode, it still has to load and initialize all the dependent UI libraries which can take non-negligible time. This is why it is often better to use the text-mode executable (idat) which uses lightweight text-mode UI. However, it still needs a terminal even in batch mode. In case you need to run it in a situation without a terminal (e.g. run it in background or from a daemon), you can use the following approach:

  1. set environment variable TVHEADLESS=1
  2. redirect output

For example:

TVHEADLESS=1 idat -A -Smyscript.idc file.bin >/dev/null &

Downloads

decompile_entry_points.py

Article Link: https://www.hex-rays.com/blog/igor-tip-of-the-week-08-batch-mode-under-the-hood/